1 / 33

Future of Government Info Sharing

Future of Government Info Sharing. Chris Wysopal CTO & Co-founder Veracode. The Future of Disclosure?. Enhanced Cybersecurity Services. Collect and Hide Information. Secret black boxes with secret signatures to protect you while maintaining ability of US Government to fight offensively.

cleta
Download Presentation

Future of Government Info Sharing

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Future of Government Info Sharing Chris Wysopal CTO & Co-founder Veracode

  2. The Future of Disclosure?

  3. Enhanced Cybersecurity Services Collect and Hide Information Secret black boxes with secret signatures to protect you while maintaining ability of US Government to fight offensively

  4. US Government Vision for Information Sharing • Threat information only • Attack signatures and Attack sources • Collected by Govt and Industry • Shared in secret

  5. Or do we treat information risk as a health and safety issue

  6. Collect and Share Information

  7. Mandatory Reporting • CDC - Mandatory Reporting of Infectious Diseases by Clinicians • Under the OSHA Recordkeeping regulation (29 CFR 1904), covered employers are required to prepare and maintain records of serious occupational injuries and illnesses, using the OSHA 300 Log. This information is important for employers, workers and OSHA in evaluating the safety of a workplace, understanding industry hazards, and implementing worker protections to reduce and eliminate hazards. • CPSC - Dangerous Products (Section 15) - Manufacturers, importers, distributors, and retailers are required to report to CPSC under Section 15 (b) of the Consumer Product Safety Act (CPSA) within 24 hours of obtaining information which reasonably supports the conclusion that a product does not comply with a safety rule issued under the CPSA, or contains a defect which could create a substantial risk of injury to the public or presents an unreasonable risk of serious injury or death, 15 U.S.C. § 2064(b). • NTSB Federal regulations require operators to notify the NTSB immediately of aviation accidents and certain incidents. An accident is defined as an occurrence associated with the operation of an aircraft that takes place between the time any person boards the aircraft with the intention of flight and all such persons have disembarked, and in which any person suffers death or serious injury, or in which the aircraft receives substantial damage. An incident is an occurrence other than an accident that affects or could affect the safety of operations.

  8. Commercial Airlines • First commercial air transportation began in early 1920’s transporting mail • Late 1920’s first passenger travel. Seen as supplementing rail service • 1930’s first international flights. LA to Shanghai and New York to London. • 1930’s Airlines become profitable. • Air accidents in the hundreds/year by 1940

  9. NTSB History • National Transportation Safety Board • Investigates Air, Rail, Commercial Vehicle, Ship, Pipeline accidents • Evaluates the effectiveness of other government agencies' programs for preventing transportation accidents • Grew out of Civil Aeronautics Board created by Bureau of Air Commerce Act in 1938 • First Major investigation was Douglas DC-3A crash in August 1940. • Approx 20 years after commercial air transportation begins, formal incident investigation starts

  10. Incident Disclosure

  11. NTSB Aviation Disclosure http://www.ntsb.gov/aviationquery/

  12. NTSB Incident Reports • Designed to learn from incidents and Improve • Root cause analysis • Recommendations • Public Investigation for serious incidents • Follows sound engineering principle of learning from failures.

  13. Outcome is Safety Recommendations and Safety Alerts “Recommendations are sent to the organization best able to address the safety issue, whether it is public or private.”

  14. Internet Incident History • DARPA funds CERT/CC at Carnegie Mellon following Morris Worm incident in 1988 • Commercial Internet began in 1992. Congress allows NSFNET to carry commercial traffic • It’s 20 years later. Where are our formal incident investigations?

  15. Data Breach for PII Disclosure • Data breach disclosure requirements vary widely based on type of information compromised and jurisdiction • Most states require PII to trigger mandatory disclosure • CA recently passed disclosure requirement for account information breach

  16. State Laws Vary

  17. What’s in the Breach Disclosure? • Notify the effected people what data was compromised • No requirement to disclose root cause • Imagine if NTSB incident reports were only “plane crashed on date, x, at location y” • If someone asked “how” there would often be no answer

  18. Why won’t they help us? • Drupal.org • Ross declined to name the third party responsible for the flaw, saying only that the company has worked with the software vendor to confirm the known vulnerability, which has been publicly disclosed. “We are still investigating and will share more detail when it is appropriate,” she said. • Federal Reserve • "The Federal Reserve System is aware that information was obtained by exploiting a temporary vulnerability in a website vendor product," a Fed spokesman told BankInfoSecurity on Feb. 7. "The exposure was fixed shortly after discovery and is no longer an issue. This incident did not affect critical operations of the Federal Reserve System."

  19. 6 Biggest Breaches of Early 2012 Source: Dark Reading, 6 Biggest Breaches Of 2012 So Far

  20. Commercial Breach Reports • Biased by customer base • Only summary data available • Imagine “11 planes had metal fatigue” • Each report slices data differently

  21. Current Root Cause Data is Weak

  22. Can root cause disclosure and a culture of learning from failure change the growth in breaches?

  23. A National Cyber Safety Board? • Reporting must be automated and consistent • Goal is actionable knowledge • Businesses want anonymity. We could still learn from breaches but there wouldn’t be additional incentive of staying out of news. • Need root cause analysis Cyber

  24. What Can We Learn • What classes of application vulnerabilities are being attacked. • What is the exploit rate of known vulnerabilities • Understand how non-regulated entities and/or non-regulated data are attacked • What are the vectors used by hacktivists and spies

  25. Prevalence of Apps With Flaws by Language

  26. 1st to 2nd Test Improvement by Language

  27. Conclusion • Ultimately, a National Data Breach Reporting Law should breed best practices for information sharing “for the good of the community.”  The fact that we’re not thinking about data breach investigation and notification like the NTSB shows how immature the IT security industry really is

  28. Questions Chris Wysopal cwysopal@veracode.com @weldpond

More Related